Slave client (...) Method To Handle Potentially dangerous request. Form values detected in

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/zhangyj_315/archive/2009/03/06/3962394.aspx

ASP. net Control to make a simple message book. When you test detailsview to insert a message, if you insert <SCRIPT> alert ("hello") in the textbox of the inserted template ") </SCRIPT> when such a script is executed, it will report a request that is potentially dangerous from the client. form value. Think of the previous time on msdn, we can see that HTML encoding is applied to strings in Web applications.ProgramTo prevent the script from interfering with the content in this section.CodeUse htmlencode () to encode the input content to prevent script intrusion. However, if you want to verify the input box of the entire website, this is obviously cumbersome. So I went to Google and got the following four solutions.

In. net, when a request contains a string such as HTML or Javascript, the system considers the request as a dangerous value. The above error is reported immediately.

For example, if you enter some HTML code in textbox1 of a webpage, an error is returned when you click the submit button.
Solution:
Solution 1:
Add this sentence to the. aspx file header:
<% @ Page validaterequest = "false" %>
Solution 2:
Modify the Web. config file:
<Configuration>
<System. Web>
<Pages validaterequest = "false"/>
</System. Web>
</Configuration>
Because the default value of validaterequest is true. Set it to false.

Solution 3:
Of course, this can only make the interface look better. To resist injection, you have to do a lot of work on filtering.
Then, the validaterequest method is disabled, as shown below:
Do not disable validaterequest = false.
The correct method is to add the page_error () function on your current page to capture exceptions that occur while processing all pages without handling them. Then, the user is given a valid error message. If the current page does not contain page_error (), this exception will be sent to application_error () of global. asax for processing. You can also write a common exception reporting and error handling function there. If no exception handling function is written in both locations, the default error page is displayed.
For example, it takes only a short piece of code to handle this exception. Add the following code to the code-behind page:
The following is a reference clip:

Protected void page_error (Object sender, eventargs E)

{

Exception EX = server. getlasterror ();

If (ex is httprequestvalidationexception)

{

Response. Write ("enter a valid string. ");

Server. clearerror (); // if the error is not clearerror (), it will continue to be passed to application_error ().

}

}

Solution 4:

In the application_error () of the Global. asax file. This will take effect for the entire website.

Void application_error (Object sender, eventargs E)

{

// Code that runs when an unhandled error occurs

Exception EX = server. getlasterror ();

If (ex is httprequestvalidationexception)

{

Response. Write ("enter a valid string. ");

Server. clearerror (); // if the error is not clearerror (), it will continue to be passed to application_error ().

}

}